filter_kubernetes: use service account issuer to detect EKS env

[movence]

Background

Explored Related introduced filter_kubernetes to add Kubernetes metadata to logs and metrics. The filter historically relied on the presence of the aws-auth ConfigMap to determine if the cluster is running on Amazon EKS. However, with the launch of EKS access entries, the aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters.

Problem

With the launch of EKS access entries, aws-auth ConfigMap is no longer guaranteed to be present in EKS clusters. Missing ConfigMap causes two issues:

• Noisy audit logs: Generates 404 not found errors in k8s audit logs when the aws-auth ConfigMap doesn't exist
• Incorrect platform tagging: EKS clusters using access entries (API ) are falsely tagged as Generic or K8s platform instead of AWS::EKS for "Explore Related" functionality

NA

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Using an EKS cluster with authemticationMode set to API to prevent aws-auth configmap from being created

# eksctl config
accessConfig:
   authenticationMode: API

Use CloudWatch LogInsights to search application log entries with metadata. Note the value for @entity.Attributes.PlatformType

## using public.ecr.aws/aws-observability/aws-for-fluent-bit:2.33.2
Field	Value
@entity.Attributes.K8s.Cluster	 mixed-133
@entity.Attributes.K8s.Namespace	 amazon-cloudwatch
@entity.Attributes.K8s.Node	 ip-192---.us-west-2.compute.internal
@entity.Attributes.K8s.Workload	 cloudwatch-agent
@entity.Attributes.PlatformType	 K8s

## with the new changes
Field	Value
@entity.Attributes.EKS.Cluster	mixed-133
@entity.Attributes.K8s.Namespace	amazon-cloudwatch
@entity.Attributes.K8s.Node	ip-192---.us-west-2.compute.internal
@entity.Attributes.K8s.Workload	cloudwatch-agent
@entity.Attributes.PlatformType	AWS::EKS

• Example configuration file for the change

application-log.conf: |
          [INPUT]
            Name                tail
            Tag                 application.*
            Exclude_Path        /var/log/containers/cloudwatch-agent*, /var/log/containers/fluent-bit*, /var/log/containers/aws-node*, /var/log/containers/kube-proxy*
            Path                /var/log/containers/*.log
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_container.db
            Mem_Buf_Limit       50MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Rotate_Wait         30
            storage.type        filesystem
            Read_from_Head      ${READ_FROM_HEAD}
          
          [INPUT]
            Name                tail
            Tag                 application.*
            Path                /var/log/containers/fluent-bit*
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_log.db
            Mem_Buf_Limit       5MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Read_from_Head      ${READ_FROM_HEAD}
          
          [INPUT]
            Name                tail
            Tag                 application.*
            Path                /var/log/containers/cloudwatch-agent*
            multiline.parser    docker, cri
            DB                  /var/fluent-bit/state/flb_cwagent.db
            Mem_Buf_Limit       5MB
            Skip_Long_Lines     On
            Refresh_Interval    10
            Read_from_Head      ${READ_FROM_HEAD}
          
          [FILTER]
            Name                aws
            Match               application.*
            enable_entity   true
          
          [FILTER]
            Name                kubernetes
            Match               application.*
            Kube_URL            https://kubernetes.default.svc:443
            Kube_Tag_Prefix     application.var.log.containers.
            Merge_Log           On
            Merge_Log_Key       log_processed
            K8S-Logging.Parser  On
            K8S-Logging.Exclude Off
            Labels              Off
            Annotations         Off
            Use_Kubelet         On
            Kubelet_Port        10250
            Buffer_Size         0
          
          [OUTPUT]
            Name                cloudwatch_logs
            Match               application.*
            region              ${AWS_REGION}
            log_group_name      /aws/containerinsights/${CLUSTER_NAME}/application
            log_stream_prefix   ${HOST_NAME}-
            auto_create_group   true
            extra_user_agent    container-insights

• Debug log output from testing the change

• Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• Run local packaging test showing all targets (including any new ones) build.
• Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• Documentation required for this feature

Backporting

• Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• New Features

  • More reliable AWS EKS detection by inspecting service account token issuer (works in restricted clusters).

• Bug Fixes

  • Removed reliance on cluster ConfigMap checks, lowering required permissions and reducing misdetection.
  • Improved JWT parsing, error handling, and resource cleanup for more robust detection.

• Documentation

  • Updated internal comments to reflect the new issuer-based detection approach.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Replaced ConfigMap-based EKS detection with serviceaccount JWT issuer inspection and removed the exported AWS_AUTH_CONFIG_MAP macro. determine_platform now reads the serviceaccount token, parses the JWT payload, base64-decodes it, extracts "iss", and matches EKS OIDC URL patterns. (≤50 words)

Changes

Cohort / File(s)	Summary
Platform detection via JWT issuer plugins/filter_kubernetes/kubernetes_aws.c	Rewrote determine_platform to read the serviceaccount token file, validate/split the JWT (header.payload.signature), perform base64url decoding of the payload (handle -/_ and padding), parse JSON to extract "iss", detect oidc.eks.*.amazonaws.com/id/..., return 1 for EKS or -1 on failures; added error handling, memory cleanup, and included flb_utils.h.
Public macro cleanup plugins/filter_kubernetes/kube_conf.h	Removed exported macro AWS_AUTH_CONFIG_MAP (previously #define AWS_AUTH_CONFIG_MAP "aws-auth") and updated comments to describe issuer-based verification via serviceaccount token instead of ConfigMap lookup.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant FLB as Fluent Bit
  participant K8S as kubernetes_aws.c
  participant FS as Filesystem

  Note right of K8S `#F0F4FF`: determine_platform(ctx)
  K8S->>FS: read serviceaccount token file
  alt read fails
    K8S-->>FLB: return -1
  else token read
    K8S->>K8S: split JWT (header.payload.signature)
    alt malformed JWT
      K8S-->>FLB: return -1
    else JWT ok
      K8S->>K8S: base64url-decode payload (handle padding, -/_)
      alt decode fails
        K8S-->>FLB: return -1
      else decoded payload
        K8S->>K8S: parse JSON, extract "iss"
        alt issuer matches oidc.eks.*.amazonaws.com/id/...
          Note right of K8S `#DFF2E1`: EKS detected
          K8S-->>FLB: return 1
        else no match
          K8S-->>FLB: return -1
        end
      end
    end
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review JWT splitting and validation logic.
• Verify base64url decoding, padding handling, and edge cases.
• Inspect JSON parsing and "iss" extraction, allocations/frees, and all error-return paths.
• Confirm inclusion and usage of flb_utils.h and portability implications.

Suggested labels

backport to v4.0.x

Suggested reviewers

• koleini
• fujimotos

Poem

I nibble tokens hidden in a stream,
I split small JWTs to chase a dream,
I pad and decode each curious bite,
I sniff an "iss" and hop to the right site,
A rabbit's leap — EKS found in moonlight. 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing AWS ConfigMap-based EKS detection with service account issuer inspection.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4558c6b and 176bf18.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (2)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

plugins/filter_kubernetes/kubernetes_aws.c (1)

297-300: Validate token_size after reading the Kubernetes token
Token constant is defined (kube_meta.h:55). Add a check that token_size > 0 and token_size <= FLB_KUBE_TOKEN_BUF_SIZE before using the buffer to guard against empty or overly large token reads.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 912b7d7 and 721ae39.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (2)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (5)

plugins/filter_kubernetes/kube_conf.h (1)

77-80: LGTM!

The updated comment accurately reflects the new platform detection approach using serviceaccount token issuer inspection. The removal of the AWS_AUTH_CONFIG_MAP macro (mentioned in the summary) aligns with the shift away from ConfigMap-based detection.

plugins/filter_kubernetes/kubernetes_aws.c (4)

26-26: LGTM!

The inclusion of flb_utils.h is necessary for the flb_utils_read_file function used in the new platform detection logic.

---

302-313: LGTM!

The JWT structure validation correctly checks for the expected three-part format (header.payload.signature) and properly handles cleanup on parse failures.

---

315-346: Locate flb_base64_decode implementation.

Run:

#!/bin/bash
rg -n "flb_base64_decode" -g '*.c' -g '*.h' -C3

---

286-386: No changes needed for determine_platform return handling.

The only caller in kube_meta.c correctly treats ret == -1 as non-EKS and all other values (i.e. 1) as EKS.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Replace manual JSON parsing with a proper parser.

The current string-based parsing for the "iss" field is fragile and may fail or produce false positives in the following scenarios:

• The "iss" field appears in a nested JSON object
• The issuer value contains escaped quotes
• Another field name contains "iss" as a substring (e.g., "missing")

Since the file already includes flb_jsmn.h (line 23), use the jsmn JSON parser for robust and reliable extraction of the issuer field.

Consider applying this approach:

/* Parse JSON payload using jsmn */
jsmn_parser parser;
jsmntok_t tokens[64];  /* Adjust size as needed */
int token_count;

jsmn_init(&parser);
token_count = jsmn_parse(&parser, payload, payload_len, tokens, sizeof(tokens)/sizeof(tokens[0]));

if (token_count < 0) {
    flb_free(payload);
    return -1;
}

/* Find and extract "iss" field value */
char *issuer = NULL;
size_t issuer_len = 0;

for (int i = 1; i < token_count; i++) {
    if (tokens[i].type == JSMN_STRING && 
        strncmp(payload + tokens[i].start, "iss", tokens[i].end - tokens[i].start) == 0) {
        /* Next token is the value */
        if (i + 1 < token_count && tokens[i + 1].type == JSMN_STRING) {
            issuer = payload + tokens[i + 1].start;
            issuer_len = tokens[i + 1].end - tokens[i + 1].start;
            break;
        }
    }
}

if (!issuer) {
    flb_free(payload);
    return -1;
}

🤖 Prompt for AI Agents

plugins/filter_kubernetes/kubernetes_aws.c lines 347-375: Replace the brittle
string-based "iss" extraction with jsmn parsing: initialize a jsmn_parser, parse
payload using payload_len into a tokens array (resize tokens if needed), check
token_count for errors and free payload on failure, then iterate tokens to find
a JSMN_STRING token whose content exactly equals "iss" (use
tokens[i].start/end), verify the next token exists and is a string, and set
issuer_start = payload + tokens[i+1].start and issuer_end = payload +
tokens[i+1].end; on any failure free payload and return -1; this handles nested
objects and escaped characters correctly.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 721ae39 and 1a27fbf.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/filter_kubernetes/kubernetes_aws.c

🔇 Additional comments (1)

plugins/filter_kubernetes/kube_conf.h (1)

77-80: All references to AWS_AUTH_CONFIG_MAP have been removed
Search for AWS_AUTH_CONFIG_MAP across .c and .h files returned no results, confirming safe removal.

[zhihonl]

Should we keep this as a fallback for old clusters? Or does the issuer exist on both old and new cluster so it should just be the definitive mechanism for determining platforms?

[movence]

That is a good point. We found that the EKS service account issuer was introduced starting with EKS version 1.21, which has been EOL for quite some time now. This gave us confidence to move forward with this approach without a fallback.

[movence]

Hey @edsiper could you check this out since we've discussed it before?

[edsiper]

@codex review

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use base64url decoder for JWT payload

The new EKS detection reads the service account JWT and decodes the payload with flb_base64_decode. That helper only understands standard base64 (+ and /), while Kubernetes service account tokens are base64url encoded (- and _, no padding). Tokens containing those characters will make the decode call fail with FLB_BASE64_ERR_INVALID_CHARACTER, so determine_platform returns -1 even when running on EKS. This means most clusters will now be misclassified as generic Kubernetes. The payload should be converted from base64url to base64 or decoded with a base64url-capable routine before inspecting the iss field.

Useful? React with 👍 / 👎.

[edsiper]

cc: @movence ^

[movence]

Really appreciate your review @edsiper!! I have addressed the finding.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

plugins/filter_kubernetes/kubernetes_aws.c (3)

343-344: Consider using a separate variable for padding loop counter.

The variable payload_b64_len is reused as a loop counter when adding padding, which changes its semantic meaning from "original length" to "padded length". While functional, using a separate loop variable or explicitly renaming would improve clarity.

Example:

-    while (payload_b64_len < padded_len) {
-        payload_b64[payload_b64_len++] = '=';
+    for (size_t i = payload_b64_len; i < padded_len; i++) {
+        payload_b64[i] = '=';
     }
+    payload_b64_len = padded_len;

---

369-397: Consider using jsmn parser for more robust JSON parsing.

The current manual string parsing works for typical Kubernetes JWT payloads but may be fragile in edge cases:

• Escaped quotes in the issuer value
• The "iss" substring appearing in other field names
• Unusual JSON formatting or whitespace

Since the file already includes flb_jsmn.h (line 23), using the jsmn parser would provide more robust and maintainable parsing. This was suggested in a previous review.

However, given that Kubernetes service account JWTs have a predictable structure, the current approach is functional for the intended use case.

Based on previous review suggestions.

---

385-385: Whitespace handling could be more comprehensive.

The code skips only spaces and tabs after the colon, but not other whitespace characters like newlines (\n), carriage returns (\r), or other Unicode whitespace. While Kubernetes JWTs are typically compact, adding \n and \r to the skip list would make the parsing more robust.

-    while (*issuer_start == ' ' || *issuer_start == '\t') issuer_start++;
+    while (*issuer_start == ' ' || *issuer_start == '\t' || 
+           *issuer_start == '\n' || *issuer_start == '\r') issuer_start++;

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 79f7d75 and 7ee7a2c.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/filter_kubernetes/kube_conf.h

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (2)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

🔇 Additional comments (4)

plugins/filter_kubernetes/kubernetes_aws.c (4)

26-26: LGTM: Include added for file reading utility.

The flb_utils.h include is necessary for flb_utils_read_file used to read the service account token.

---

286-308: LGTM: Variable declarations and token reading follow conventions.

The function properly declares all variables at the top per coding guidelines and handles token reading errors appropriately.

---

310-365: LGTM: JWT structure validation and base64url handling correctly implemented.

The code properly:

• Validates JWT structure (two dots separating three parts)
• Converts base64url to standard base64 (- to +, _ to /)
• Adds padding to ensure length is a multiple of 4
• Decodes the payload with proper error handling

This addresses the base64url decoding concerns raised in previous reviews.

---

399-417: LGTM: Pattern matching correctly scoped to issuer value.

The code now extracts the issuer value into a separate null-terminated string before performing pattern matching. This properly addresses the previous review concern about searching beyond the issuer field boundaries.

[edsiper]

@movence pls cleanup the git commit history according the guidelines

[edsiper]

@codex review

[chatgpt-codex-connector]

Codex Review: Didn't find any major issues. Bravo.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[movence]

@edsiper updated the commit history. Thanks!!

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7ee7a2c and 630081e.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/filter_kubernetes/kube_conf.h

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (2)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 630081e and 4558c6b.

📒 Files selected for processing (2)

• plugins/filter_kubernetes/kube_conf.h (1 hunks)
• plugins/filter_kubernetes/kubernetes_aws.c (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• plugins/filter_kubernetes/kube_conf.h

🧰 Additional context used

🧬 Code graph analysis (1)

plugins/filter_kubernetes/kubernetes_aws.c (2)

src/flb_utils.c (1)

• flb_utils_read_file (1937-1940)

include/fluent-bit/flb_mem.h (1)

• flb_free (126-128)